After researching the issue it seems API credentials are needed for paypal express, not paypal standard. I can't install openssl nor create a key so I'm giving up for now and will just manually check that the payment amount and item price do match.

I have used openssl to generate public and private keys, downloaded the paypal public key etc.

Like you, what I am missing is where to upload these to on the server.... Is it simply a case of creating a new directory, adding these to it and then calling them up from the paypal module in admin? or do I need to install some of the openssl files as well?

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

OK all of my sites are now secure against this potential exploit, all tested, and trial purchases made.

I would like to post the exact steps to achieve this - does anyone think it would be worthwhile doing that in a new thread or even as a contribution?

Or if nobody is interested I wont bother

Thanks

I use PP IPN on four sites, so I am interested. I looked at openssl, and that for me is a bit of a learning curve as well, but I'll tackle it. Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.